Overview
overview
10Static
static
70ddef96bc1...2c.exe
windows7-x64
711a80b9975...b1.exe
windows7-x64
713507f1f60...07.exe
windows7-x64
101c53d9fda4...dc.exe
windows7-x64
73ae9ec7dc2...e0.exe
windows7-x64
341ad73fa68...f5.exe
windows7-x64
742748e1504...12.exe
windows7-x64
946d2ba1c63...b4.exe
windows7-x64
949bac3903d...3e.exe
windows7-x64
14ffbdd03f2...75.exe
windows7-x64
1055aa55229e...70.exe
windows7-x64
963feec5226...7d.exe
windows7-x64
10729f51d9a3...32.exe
windows7-x64
772ddceebe7...6b.exe
windows7-x64
974ec6fffad...7a.exe
windows7-x64
107cf39ebb44...57.exe
windows7-x64
1085110c7148...d3.exe
windows7-x64
108d2b0cf8ad...0d.exe
windows7-x64
79001d3e08e...26.exe
windows7-x64
1092aa0505ed...f0.exe
windows7-x64
109d081b734c...91.exe
windows7-x64
49e288f3839...c7.exe
windows7-x64
79e87f069de...21.exe
windows7-x64
109f01f1a042...d2.exe
windows7-x64
10a7b82203fa...4f.exe
windows7-x64
7b5a2fe5b87...b9.exe
windows7-x64
10cf0fe3723a...36.exe
windows7-x64
10cf31156df0...35.exe
windows7-x64
10f95b6a45f1...61.exe
windows7-x64
9fd49914f47...24.exe
windows7-x64
10General
-
Target
001.rar
-
Size
2.8MB
-
Sample
240720-sv7qds1hqk
-
MD5
494b1f3661964eb30145a7617315dbdb
-
SHA1
48078350d06abe5dfeaad51e4ad6b44768df905d
-
SHA256
9e4a9e8f9c29c2307701b66b27404fdfed5770bbcba40c05edf046e5a3285975
-
SHA512
5e111eb302950623e595b2c3e66c472d4b74e2441e28f48127ba1e603f3f5365ba0b68062d82049bd7111b62ea74db6972d34f55fbe50de2d4e22a5ac2344a22
-
SSDEEP
49152:nw+6eMSIzGKwOpkdWZdQvYVpy6skn+/icU/6Sjd/9DhM1WN:yfSIzfpkdWZdh7dsk+KcYBpl1sWN
Behavioral task
behavioral1
Sample
0ddef96bc1cd9fae381e6f228639c145341e10197cc690a70dc0c8acb46d4c2c.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
11a80b997519711f00a741dcf64788fb99554061a4798509ca55ea4e11957eb1.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
13507f1f60e81e3fcfc2244f5b9e4f5d9d04c6f0beaa34429879afdb24720c07.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
1c53d9fda466a35e127ea0f774d776595ac99f837e0b9fd79ef288859e0a82dc.exe
Resource
win7-20240704-en
Behavioral task
behavioral5
Sample
3ae9ec7dc2a13da4eb7ca8467ac659f75bf4dbef45fc13ff63011685c335bde0.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
41ad73fa68a66ac06fe2d12e35dc537a8f5c8ec534a0a82d13f2769f6bb43bf5.exe
Resource
win7-20240704-en
Behavioral task
behavioral7
Sample
42748e1504f668977c0a0b6ac285b9f2935334c0400d0a1df91673c8e3761312.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
46d2ba1c63ad30cc0f8952ad248ad7f53382ad7e61df145b7c422c3ac1d111b4.exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
49bac3903d2a9fd2ce742c35f8d9804061616874cf9e1a94dfd5007e25a3ca3e.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
4ffbdd03f2424c3013aac4b0cb5eb49a991f89a2533a24f56f47c1a82819c575.exe
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
63feec522666cd97ec0a253cc17cf629a7bdb096c04f0b2de4c1bf959d67a77d.exe
Resource
win7-20240704-en
Behavioral task
behavioral13
Sample
729f51d9a39f87c71d4f3fdc6ff811f953c9de16d769cb2b290128fe9d4e7532.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
74ec6fffadcf1771b04dc4fce45f21438e246ac62c1a26d566be68591f6bfd7a.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe
Resource
win7-20240704-en
Behavioral task
behavioral17
Sample
85110c71485fa6b2e79ff0bf5562ab8367e7ca0f31ee27d96ccc9171bd94c7d3.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
8d2b0cf8ad5948bd2267aca64600d7e9d45b4dc8ad6a300d5d3c029bd003220d.exe
Resource
win7-20240704-en
Behavioral task
behavioral19
Sample
9001d3e08e34598061281c2187b4deeee8022081f4706e9b7b89d52244ccf426.exe
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
92aa0505ed000f9c5e54313506e3ebd0f1ae37628003a1275e302f6769bdf5f0.exe
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
9d081b734c595a1ae38e254369c0060c5870ee119c9f7853989c23ebc204a291.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
9e288f3839546e5c382c6b3ccc1516a6bf797ad188107534a18eb6e4203117c7.exe
Resource
win7-20240705-en
Behavioral task
behavioral23
Sample
9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
9f01f1a042c48b0e51f5e6029a661f5f08aad6ca0912a1b444afac6f2d4f2ad2.exe
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
a7b82203fa6a1831100fd414a5ef599edfbc72e63e34fc9847dd4e96c0bac64f.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
b5a2fe5b87deed18b789929faaa7601771de63dfe6a670d09224aa57ebe8c6b9.exe
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
cf0fe3723a41d7105f5b6d8a1be3ef6d43135c96714ffcb2c19d8a9ad9021c36.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435.exe
Resource
win7-20240705-en
Behavioral task
behavioral29
Sample
f95b6a45f1ae3b4ddf74fcc2f193a0a25df6f272b722e5c29edc838a99180061.exe
Resource
win7-20240705-en
Behavioral task
behavioral30
Sample
fd49914f47d9ed24fe475c263a32b34d9ed9e472379ede30530a4a3c64510d24.exe
Resource
win7-20240708-en
Malware Config
Extracted
C:\Users\RNTKH-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/e8eea44c8df4c1c
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\YOEMLUCLFX-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/754743142d13ad41
Extracted
C:\Users\HJZMTGUT-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/36504b3a41889fc1
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\[HOW_TO_DECRYPT_FILES].html
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\ESJMCGQVP-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/25c3b1d127559e6a
Extracted
C:\$Recycle.Bin\PFPQSKAEOA-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/a2bb8533ce2582a4
Extracted
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\#DECRYPT_MY_FILES#.html
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\[HOW_TO_DECRYPT_FILES].html
Extracted
C:\$Recycle.Bin\WOBTRC-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/b2129ec222655a45
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\MORVALFM-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/756f5b77f51355cc
Targets
-
-
Target
0ddef96bc1cd9fae381e6f228639c145341e10197cc690a70dc0c8acb46d4c2c.exe
-
Size
278KB
-
MD5
09180c7dccacffdf04ab67cf8909b5f2
-
SHA1
ebcd05145f771a48ba3f50bcef46121344817575
-
SHA256
0ddef96bc1cd9fae381e6f228639c145341e10197cc690a70dc0c8acb46d4c2c
-
SHA512
5f90272144c53b30d61635bd9d7c4eaeb442282361d00f8183cbf3319a74202f357e593f6a0e522b214b836509332affcf142b31684b5807e114c88b5cb16c4e
-
SSDEEP
3072:+TDshiWfaoizdfUICi9IyFiD2vEOAaZ/xr+VBFaI1YIYiheeeeeeeeefYDeOiClE:tfaDzdg0IsAwZrMBgkSOG9iO2RK
-
-
-
Target
11a80b997519711f00a741dcf64788fb99554061a4798509ca55ea4e11957eb1.exe
-
Size
36KB
-
MD5
b7122a5e603f633bea652729f79b46f1
-
SHA1
1f7f13d4e5a835a5164b4d5e2decd253fe38e340
-
SHA256
11a80b997519711f00a741dcf64788fb99554061a4798509ca55ea4e11957eb1
-
SHA512
f2e34136dfa31c9b7507543306a632ff83480cbbc65b28fe7167aacce6f2fb21b89be837affee9b82def6fe4fccba414ca4af39c968cd456d3102f8cbc36a816
-
SSDEEP
768:LzM32Zl0l3KLcHPg+RjNAJcsELn/bi2wMlk9aubgIgj0mqew:LSQw/jxP7MTzYrqew
-
-
-
Target
13507f1f60e81e3fcfc2244f5b9e4f5d9d04c6f0beaa34429879afdb24720c07.exe
-
Size
255KB
-
MD5
e4611c388a33ccd1a7d3d4a996e32fa3
-
SHA1
61c206f323eeb960873f5d9728011b774075c01a
-
SHA256
13507f1f60e81e3fcfc2244f5b9e4f5d9d04c6f0beaa34429879afdb24720c07
-
SHA512
596630e87eca6aa87a5861a77f21eb9cecf82add1c5d02a27c36b0ec22f8c770e2cd81b240a3db14ea59c09389360e2a1aaf5e28ab5627e8714f0cfef8dddce0
-
SSDEEP
6144:vcOUIh8dlf/I2K7OQp/ymns6U7b3CN0lo3On:08h8rHI2K7jp/UXSNb+n
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (287) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
1c53d9fda466a35e127ea0f774d776595ac99f837e0b9fd79ef288859e0a82dc.exe
-
Size
46KB
-
MD5
d1cb2d7ca5643dca3f7143ef440209f4
-
SHA1
55746c8664c60bd78a730a2421e0ec4b3bc424b3
-
SHA256
1c53d9fda466a35e127ea0f774d776595ac99f837e0b9fd79ef288859e0a82dc
-
SHA512
abd18bb118590e46c26c9518a6c6b7acf240e5652c0cac6cc5d8a6c0d8c4143c0fff634e95b29c604524d71cec81c97cc411bae33c029037621ccc41591d225e
-
SSDEEP
768:xBiSJXLnGKOGqvrFKrfJx860qT/b3rk+5CibTx5b/IREKbSrVMmijabyrHehx+BM:xRgxvhKrf38KT/bgoTx5seKbSxWa0ccm
-
-
-
Target
3ae9ec7dc2a13da4eb7ca8467ac659f75bf4dbef45fc13ff63011685c335bde0.exe
-
Size
43KB
-
MD5
0d7f21d96c832bee780168489799888a
-
SHA1
d916ffc55be542fca048ef13a9ec3bef3c70d464
-
SHA256
3ae9ec7dc2a13da4eb7ca8467ac659f75bf4dbef45fc13ff63011685c335bde0
-
SHA512
4a59e60a20f15260def46fed3d4ee70b04e830643348c3018f715caf43659e956e920f5cd9adce55d2495e5fa47f192219052f1b13e13853ddf5e0e2749ecf50
-
SSDEEP
768:jI2Er0ofK5/lQ0YSHiZka7NgpNGYzsUSy9PlQ1b3tqDDiNeH4jx9rHcKHL4R:jIL4ofg/lTYSHSMPdYTyCzx9FHL
Score3/10 -
-
-
Target
41ad73fa68a66ac06fe2d12e35dc537a8f5c8ec534a0a82d13f2769f6bb43bf5.exe
-
Size
45KB
-
MD5
9f7fa29d1f74d761991dac02be8b46bc
-
SHA1
e3865acf369a4f118a97169a957c820f94db515e
-
SHA256
41ad73fa68a66ac06fe2d12e35dc537a8f5c8ec534a0a82d13f2769f6bb43bf5
-
SHA512
7e78f4514e50b68cbc19a3e40543a7929b4da338c8fbccae7d43fc1082285a06c4708bc9ea4d4aa32906ebb8a3df9bbfbe441b48477d64c77896fd6a0e17440e
-
SSDEEP
768:8p+cLlu75U5xC/4VBzVdmd7kPHXvqPG+t2u3juYoxguzmQxyMMi0:8jlu75U5QAXrmdNPx4u6Yox/hEMMi0
-
-
-
Target
42748e1504f668977c0a0b6ac285b9f2935334c0400d0a1df91673c8e3761312.exe
-
Size
224KB
-
MD5
c49902c175154630349cc10a9eda0363
-
SHA1
7074240b4abd8e8eac3e0d405630b4ab10e5a744
-
SHA256
42748e1504f668977c0a0b6ac285b9f2935334c0400d0a1df91673c8e3761312
-
SHA512
f004185e7cb730b991e19b75e33a84ae2b903c1c4c1a1dc7b1c8bb7e64befa6cc80048a4c73a7cb25450da4a95eff6652e19ff17f80f0e1e3eb99069bf474820
-
SSDEEP
3072:tPokaghmM6wQ+ks8Bv/ESCGmYSfKpmC9tPozIx/tAg0FujtBy9kVV8av:ui4MqhBnESCGmrK7NtAOqGIav
Score9/10-
Renames multiple (137) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
46d2ba1c63ad30cc0f8952ad248ad7f53382ad7e61df145b7c422c3ac1d111b4.exe
-
Size
12KB
-
MD5
095ae02d1a70dbabccd47bd0d0a706eb
-
SHA1
020c8440d7d1dbd8fc415fbce40191ac195c0e6c
-
SHA256
46d2ba1c63ad30cc0f8952ad248ad7f53382ad7e61df145b7c422c3ac1d111b4
-
SHA512
8b74f8bd1ec052df05b92145d2bb447194974b2ac0a9d68e7d3e026d2e902cbc9ec4080b72d67fb3911cce4d8c23814bc26d8e07a800c3e1dfdd3f5fcaf3a7c9
-
SSDEEP
192:FSRoff34J4cvAWyjx4cL9rd83Miy4lzknkrwzZrAU/i8stYcFOKc03KY:FSKa7wd4w4+avUZrv/iptYcFOKc03K
Score9/10-
Renames multiple (73) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
-
-
Target
49bac3903d2a9fd2ce742c35f8d9804061616874cf9e1a94dfd5007e25a3ca3e.exe
-
Size
80KB
-
MD5
e6e6dbeb428a08f36853e0859c0d6710
-
SHA1
48201ffc1525b8b93c8a624f66c09cbb51575301
-
SHA256
49bac3903d2a9fd2ce742c35f8d9804061616874cf9e1a94dfd5007e25a3ca3e
-
SHA512
e38a97d60da1ead834e95165e30771217da7682871e4596a0ec42598cc6172357d5b3832267a5d84e52cdad59fcf9df1e042299e58a48a78f4708f3a08482901
-
SSDEEP
1536:gwGBY/Hnnd3gAd9JND4/dqDoCL92SVmf9m2dSEKuT2PRB6:gwUGHnndQAda/sD90SuVSEKuqJB6
Score1/10 -
-
-
Target
4ffbdd03f2424c3013aac4b0cb5eb49a991f89a2533a24f56f47c1a82819c575.exe
-
Size
171KB
-
MD5
93cb86dedb2c4a4fa472e47600e85874
-
SHA1
7462638a800fdd18a0614172c582aebd47a91253
-
SHA256
4ffbdd03f2424c3013aac4b0cb5eb49a991f89a2533a24f56f47c1a82819c575
-
SHA512
e5ae4e0806907651c6fd2bdc7703e177d0b89ecf494151d18076db062e1f60b4d2241e921be08704273dcf1d9e42135dc459a681c01592ed73c7c84d8bbddf87
-
SSDEEP
3072:mmyqA/BIkrL0kMZ2m7ksIS/bOpd5sF2Fj3YyP:lQ/BIkf0V27sFbONsF2Fjx
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (274) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70.exe
-
Size
138KB
-
MD5
681211a7b964eaffd13e0610d82a25e7
-
SHA1
62a4a462c4535ef21411d29c9d8273cbe2fbc2fa
-
SHA256
55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70
-
SHA512
17c0edafc5c652841d684eb9ec5909ff1b0b47a0c04bd689a81cf03ade9e0efa077170a2c64f3c993f548838276d86774b73922b9484c1d22d182e41c5a02e8e
-
SSDEEP
3072:vDaz8uS5prazAw8JN1SJFkuh2z5lWmd4ox33:OySAUh6hd4ox
Score9/10-
Renames multiple (122) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
63feec522666cd97ec0a253cc17cf629a7bdb096c04f0b2de4c1bf959d67a77d.exe
-
Size
273KB
-
MD5
320dd92ca62a321d2ac4539f105aa286
-
SHA1
f46e943bf9e8609167656d5f26b4bdf80019b016
-
SHA256
63feec522666cd97ec0a253cc17cf629a7bdb096c04f0b2de4c1bf959d67a77d
-
SHA512
89861ebe63d42d099b751f84bbe7a7b37a363d178e73a6467cbffbaa2ae99167f81cfe3695b64fa124a7fd74097ab568a3f4e2a64a4fac0ef0a6b1e9d3fc943e
-
SSDEEP
3072:GdDlBBfTiNcKwLQ2zZE99VYvUcT0mPqkaYc+dv+Ld4NTJnLOXJKYlEQqMRiPVHUc:K3EAqkhc+1bLxdxMR0VHT9GHq
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (281) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
729f51d9a39f87c71d4f3fdc6ff811f953c9de16d769cb2b290128fe9d4e7532.exe
-
Size
111KB
-
MD5
bff182346d47cb63a14d57c20775ca52
-
SHA1
3c095f73b9e5155ab9d08496909a9344c86a0da7
-
SHA256
729f51d9a39f87c71d4f3fdc6ff811f953c9de16d769cb2b290128fe9d4e7532
-
SHA512
d241a3b33abd867dce860651217bf0d19d9a2e59bb4f8995ab0910333e5317e166b7ce21b319cc0ffde76c640395570c7baeecd4d662e2dcbcdda46bed2570fe
-
SSDEEP
3072:4jsU4kcPBbaCcsKsraOkWo86d5TEi9fh40EZl0:04kuRaVzQ7SQi95p
-
-
-
Target
72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe
-
Size
268KB
-
MD5
4e2b58f99ad9f13c2b09f0741739775d
-
SHA1
6a51d0cd9ea189babad031864217ddd3a7ddba84
-
SHA256
72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b
-
SHA512
dd74f94fbe6324410e832ab22b2807bbc5bc4171704477898a2b64a1ce6a7b3a289a4fb399412152b33a6b286e439c8d89eca4d5cba7bcd65dcb864e18487ebd
-
SSDEEP
3072:gfLB0w+Wv5pa/Dc/nuOL23e8aoeE+aqfnfj59AEYfzaBUGm+0lh831QPfrwV6cFK:+TgenuOLCL+559AEq+m+jmEIcFaNtN
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8610) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-
-
-
Target
74ec6fffadcf1771b04dc4fce45f21438e246ac62c1a26d566be68591f6bfd7a.exe
-
Size
169KB
-
MD5
aa98b4d3b2f7fdbe2a90df0a8e6c0bde
-
SHA1
19c84fc638754e0123efc47df31696ca2acfda7f
-
SHA256
74ec6fffadcf1771b04dc4fce45f21438e246ac62c1a26d566be68591f6bfd7a
-
SHA512
128fe9a14f2d9d4655a56089a7cb26b28d7d0423412e6d677ae29dbc7eacda99f6c8788e443d2ee6264ab0a25a05f98381d5042447ae1b9269b98fcefe39267a
-
SSDEEP
3072:Qpd5kyqA/BIkrL0kMZ2m7ksIS/bUctF2F1:QNkQ/BIkf0V27sFbUctF2F
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (271) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe
-
Size
443KB
-
MD5
fd5ae61959c9590036881cb809891029
-
SHA1
f930d520913b407ab3cb5d7ecf5ee2a7dca1c071
-
SHA256
7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57
-
SHA512
2feb832498370c7635d42913a4328b3ba797e67cf6f7cdadc769dd549b251b05f340899229fcf76ccc1f8fe5d1512d769f581079ac06c6459669d536ba1c1fbb
-
SSDEEP
6144:I9LJ4d2DvM1V4LKPx7WlkJhW0lNVel9zXAjqiORKmb+Ylr48ov/P:IIdBrSKPx+T597iOMOTh48ov
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
85110c71485fa6b2e79ff0bf5562ab8367e7ca0f31ee27d96ccc9171bd94c7d3.exe
-
Size
490KB
-
MD5
fbc52bacf2a9cf126ef406ed1d1dbfa6
-
SHA1
8638cd625af218e16e5cfc8153efb5b058b78845
-
SHA256
85110c71485fa6b2e79ff0bf5562ab8367e7ca0f31ee27d96ccc9171bd94c7d3
-
SHA512
94f39c321d27a1fd515d78e0050417959d067e97c34e1a3c26b7d359f75d8cbeafbf0b16ae6a750b3c78726c16fabd2d282eda74efebe76e81184723d6271352
-
SSDEEP
12288:Yutrzh9xOXojrUymULpA3mxW7tOmg696UXjoA9GMvWToEJeN:Yutr5OYjjmUdymg0gzbgHo5
-
Modifies security service
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Event Triggered Execution: Image File Execution Options Injection
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
-
-
Target
8d2b0cf8ad5948bd2267aca64600d7e9d45b4dc8ad6a300d5d3c029bd003220d.exe
-
Size
92KB
-
MD5
50f138dfaad27ff53d8f69352c25e770
-
SHA1
a8267267a71db76301c09b146dcd0ad1fe5195fd
-
SHA256
8d2b0cf8ad5948bd2267aca64600d7e9d45b4dc8ad6a300d5d3c029bd003220d
-
SHA512
b01e39cc2374206ea1d1b7a24896fcac646d189fdf5e6369e9327635a5b7e0b6206096d6bc7c548c8a94915006e73553d686a9b7824af614da3600df7aa58bda
-
SSDEEP
1536:p7mqIEF7ivk6miU9ffYm4SeSwvGJlUFYfK7csKsraOkWo8XKlH+ymmfAsLASAq:Mvgivw9wBaGcsKsraOkWo86lHB9fxLA5
-
-
-
Target
9001d3e08e34598061281c2187b4deeee8022081f4706e9b7b89d52244ccf426.exe
-
Size
410KB
-
MD5
f660796e27a752ba6037ee68f44b29d4
-
SHA1
dcd5a2ac5bae36bacb4b3ce15b63b5af3c4c9d33
-
SHA256
9001d3e08e34598061281c2187b4deeee8022081f4706e9b7b89d52244ccf426
-
SHA512
d8219d64b9d576308b0a2a44cf1bd22ec2973fdee4b775c6dc38689a39772468acd2fec2d8b50ad8d8925f8f14ae9722dcc2ca74f1b50eb74851590acea0daaf
-
SSDEEP
6144:wZOmcTK/WkW0PwFgRfqPKbmZq3f2GaYoccionP0+nwWjn:xmcT44FgRSSKZeSc1ocKxjn
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (302) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
92aa0505ed000f9c5e54313506e3ebd0f1ae37628003a1275e302f6769bdf5f0.exe
-
Size
197KB
-
MD5
d5af92ab973f641a23df5d0f955a4854
-
SHA1
e99e0b35c6672b15cd2cb927d8462609fd6e9067
-
SHA256
92aa0505ed000f9c5e54313506e3ebd0f1ae37628003a1275e302f6769bdf5f0
-
SHA512
96fededa28ff7918aae0ef83463384b55ba2b7e146d78c7f2557a5e4218181de7abf4c3a2ff0dba6822cfc983e92af8e9fc50698a20c69daff0fa79e1094ba6a
-
SSDEEP
3072:j4iTqLw4MdVql02+btqf1y3SCbFOg580+ZXEhkUy3j6aviwK+CRXs5F89B:8iWLPmVqll+8fWSkO90+Z593j6OiwwD
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (267) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
9d081b734c595a1ae38e254369c0060c5870ee119c9f7853989c23ebc204a291.exe
-
Size
24KB
-
MD5
8a1225f47aa9f0673c32983f1b2b2c5b
-
SHA1
742f2364f2d5f10385b56c22ecf17a3cdcc53346
-
SHA256
9d081b734c595a1ae38e254369c0060c5870ee119c9f7853989c23ebc204a291
-
SHA512
d633dc2caa28a0a782108b9d47d43322c6f1d95c82903219b4b83eb491691217916e7eee35a0eb206aae2937523896e538141e524b396c2ae7210ec8f8238827
-
SSDEEP
96:/lx5KHYFNV+Vvl/iABo1FYXGgn2PUkWf2BtvXrs2aoE8y79h9jSUyrW9EhN:/TzmVvl/vaKdnvJeBtvXrsr352UyCEh
Score4/10 -
-
-
Target
9e288f3839546e5c382c6b3ccc1516a6bf797ad188107534a18eb6e4203117c7.exe
-
Size
42KB
-
MD5
e7b365fbcce1ea6c057bf8d3c06c2879
-
SHA1
4b66fc1e7b48d2c3b35c07fc5ce8173b039016a3
-
SHA256
9e288f3839546e5c382c6b3ccc1516a6bf797ad188107534a18eb6e4203117c7
-
SHA512
cbf80afc11763e0861da5d30571f1d5f4975cb511abc49b9ddbecb7a906d65e5066e626aef089157e22e880da32ed8968825ca7cd859cd0364c9acc33453cdd7
-
SSDEEP
768:mXlsdclumB/3GWK1Bmf/gsAyIpv6G/3PM17GhWy:gMclnKPmfu/
-
Drops file in System32 directory
-
-
-
Target
9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021.exe
-
Size
338KB
-
MD5
bbd4c2d2c72648c8f871b36261be23fd
-
SHA1
77c525e6b8a5760823ad6036e60b3fa244db8e42
-
SHA256
9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021
-
SHA512
38f2ff3b7ff6faa63ef0a3200e0dbb9e48e1d404a065f6919cb6d245699479896a42316f299c33c8cc068922934c64f8aa06c88b000d1676870c1d0c0f18e14a
-
SSDEEP
6144:zUrigyvF8Q9fLglQ8t0qabFDfOdQ/LDA8H+wwaMZUUAOq+mwNf8fsS+:zUrigY8QBLg9t0qabFDGdQ/TlYiUQ+Vz
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox registry keys
-
Looks for VirtualBox Guest Additions in registry
-
Renames multiple (169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Drops startup file
-
Sets desktop wallpaper using registry
-
-
-
Target
9f01f1a042c48b0e51f5e6029a661f5f08aad6ca0912a1b444afac6f2d4f2ad2.exe
-
Size
137KB
-
MD5
90c3d889324a93c1c90f05fd63597dae
-
SHA1
1f5bc404738304231485054c6586a5036816e95e
-
SHA256
9f01f1a042c48b0e51f5e6029a661f5f08aad6ca0912a1b444afac6f2d4f2ad2
-
SHA512
fbaf6261b8b5596b03eddcebaa54bf4e44753878026adf969847fb25738013a6436a40da8577f2de5e5c15cc7c74a37115b454445ecaa778fec7e8588c4c3455
-
SSDEEP
3072:gMmgyo3o4+2YK7b21Tve+Owhm0ewGbAFv:gMmgyo3o0YK7bATvxOwsbG
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
a7b82203fa6a1831100fd414a5ef599edfbc72e63e34fc9847dd4e96c0bac64f.exe
-
Size
45KB
-
MD5
efdeebc05e7cfee5a07fa3dd7ab20e1f
-
SHA1
b1c23a7a399e24cb27213c5efca15cfba8baff06
-
SHA256
a7b82203fa6a1831100fd414a5ef599edfbc72e63e34fc9847dd4e96c0bac64f
-
SHA512
261d489b6637751ca6eda5e6702d8e1d38028314cf4f7899951cafa59fa7a0e5f2021eab6bcf42b006a2515c0ce5e811a06e96aae6a2c5db10225a2450114e5d
-
SSDEEP
768:DPphueH/BQLusoLpaXAMUPfktNLcVxdlupCuEkOWASuoeimtO4w8q8B3A:DPpB1soLpaQ/nymvH7W/feLtLB3A
-
-
-
Target
b5a2fe5b87deed18b789929faaa7601771de63dfe6a670d09224aa57ebe8c6b9.exe
-
Size
168KB
-
MD5
d1c616cf0fd1eb61164e9091cad354c5
-
SHA1
444539834e496f04cf9c07594645ca252f3b52a8
-
SHA256
b5a2fe5b87deed18b789929faaa7601771de63dfe6a670d09224aa57ebe8c6b9
-
SHA512
441477d5a429dad3e499e943c8dfb54ad673320eed81f4fec00b3798839b3bb296c446354d5e1f46ec52aa278417011ab8ae7f374df1347e341e46243276af00
-
SSDEEP
3072:B36NS6YsVsI11Tl2JD5wMPm+RY8RvPCdSGk8RQcj2Er:B3H6TsuzYGMgWcSE
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (275) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
cf0fe3723a41d7105f5b6d8a1be3ef6d43135c96714ffcb2c19d8a9ad9021c36.exe
-
Size
169KB
-
MD5
fb6fc3f65a53371756e4806bb5b1ce88
-
SHA1
4a3f16f710b8732ac769f66bca4292220d1c045a
-
SHA256
cf0fe3723a41d7105f5b6d8a1be3ef6d43135c96714ffcb2c19d8a9ad9021c36
-
SHA512
b7541b5ae16e91565d4f8041e2f416f3c3f065c5f7b0b187aa81c5f7a1af5bef75342f382a7a0cba12732f301e872d5758c0ae7b61657a8bcab141b3f1db4adc
-
SSDEEP
3072:/fCjdqA19PzcD28y+IDN8FPguf/I2KbnehQpSEymq9Gs6c/R7b3doBHpT0FFH8Yc:iCIh8dlf/I2K7OQp/ymns6U7b3CsOOFO
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (294) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435.exe
-
Size
89KB
-
MD5
e3b25f81f0a21cfcda2848897c3734fd
-
SHA1
1e068334dd9a1b73dc4491cabbcfe2ce31579ee0
-
SHA256
cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435
-
SHA512
395ad7858574dbfa819d451194245099c6e6a129e9369ae1ff16b323e5918cf4f81467edef674494e0b128a650c6693e44bd9de2fb319bf8c7bf024b10e6bd39
-
SSDEEP
1536:x4B3t0KkhodqWUpJ6pPMxTl4YKRPu7/dgEOTvezuKtlx7D34nIsgf+YziT9pwqlq:xM5k6qWFvYKRPIgEOTveDnx7Don76+Yr
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
f95b6a45f1ae3b4ddf74fcc2f193a0a25df6f272b722e5c29edc838a99180061.exe
-
Size
220KB
-
MD5
75795c8ef2b35b12e73305c32b010e84
-
SHA1
17bf9c32f3920ea9ed3614c0a067cf07d4419ba8
-
SHA256
f95b6a45f1ae3b4ddf74fcc2f193a0a25df6f272b722e5c29edc838a99180061
-
SHA512
aafd5f6d72405c71093d9e0649f7923a4325af6faf381af0da1f66c49e194b98cc7cb80cfb29dcba8b5bda5e80f5124a0f908d90a406d79025e0fa2f2ad5570b
-
SSDEEP
6144:eVDC9bGASz7+OeO+OeN7VBBhhBBNu1IFksAOTRGC2Bu:e0KAS+OeO+OeNhBBhhBBN0IFksL
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9821) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself
-
Drops desktop.ini file(s)
-
-
-
Target
fd49914f47d9ed24fe475c263a32b34d9ed9e472379ede30530a4a3c64510d24.exe
-
Size
188KB
-
MD5
6f6be02547e9365d2ca5173dc8e5201a
-
SHA1
ffb1b17d0b3d3fe71b250cad13b2371f5e4f0452
-
SHA256
fd49914f47d9ed24fe475c263a32b34d9ed9e472379ede30530a4a3c64510d24
-
SHA512
65b5224240e62ef405f86ce678e94f62953af0fc89cebf6d2457f675adb2f58d007953b9a654f01c66f1c87bcc4d66bbb8585aa66acfbce51334cf6202d4254d
-
SSDEEP
3072:7dIDN8FPguf/I2KbnehQpSEymq9Gs6c/R7b3doBHZT0FFH8MubkJ8wo1:xIh8dlf/I2K7OQp/ymns6U7b3C8ObGo1
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (302) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
2File Deletion
2Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2